Just a couple of short comments
I like the Cisco PIXes because they're:
A) Cheap
B) Fast
C) Easy to configure if you're used to it (I started to like the CLI in the
meantime)
D) There IS a graphical user-interface (PDM). However I've never used it
yet.
E) Software-update can be done within 2 minutes
F) No Unixish operating system
G) Less layers (os, different network-cards, etc)
H) Less driver-related problems to be expected due to a limited set of HW
I dislike:
A) Had to wait 3 month to get a stupid letter-sized piece of paper with some
20 char code on it. Then I had to email Cisco the code and wait and wait and
wait untill I received the right activation key.
B) You can not get any sort of support without support contract. Not even
install support which even smaller companies offer.
C) Could not get a current software for the pix without calling my
distributor. The pixes were delivered with some 4.xx release. 6.xx is
current
D) Without the 3DES license not even unencrypted pptp VPN connections really
worked.
I won't talk a lot about Checkpoint as we're only using the Intrusion.com
PDS boxes.
They're neat, easy to configure, but rather expensive (compared to the pix).
Currently I like the pix better.
--------------------------------------
Boris Pavalec
Gesch�ftsf�hrer, VRP
Network / System Engineer MCSE & MCT
HCS - Highend Computing Systems AG
Hohlstrasse 216
CH-8004 Z�rich
Phone: + 41-1 240 29 50
Fax: + 41-1 240 29 59
eMail: [EMAIL PROTECTED]
--------------------------------------
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of SafierAdam
Sent: Friday, September 21, 2001 5:52 PM
To: Brian Ford
Cc: Ben Nagy; 'Michael Janke'; [EMAIL PROTECTED]
Subject: Re: Firewalls digest, Vol 1 #271 - 6 msgs
Brian,
> Hmm. Would you really want to be doing anything to 70+ firewalls at one
> time with a script?
Not really. But I don't want to manage 70+ boxes using a command line
interface either. I want something that helps me visualize the network and
look at the rules either summerized for similar objects or in detail for
individual objects. I've read of your CSPM in other posts here so I will
check it out next time I get to look at Cisco products, which should be soon
for client VPN. But so far the best interface I've seen is still the Check
Point GUI and their "centralized" managment station concept is pretty
sensible. It's not perfect and they are (and better be) working hard on it
since so many others are coming out with web based and GUI interfaces of
their own.
> I thought your response was going to be FUD-free until I read this:
>
> At 03:11 PM 9/17/2001 -0700, safieradam wrote:
> >Do a quick survey of postings asking for help on PIX vs. Check Point. A
few
> >years ago PIX seemed to have more problems needing patches and more
people
> >having problems.
>
> I think many will agree this particular observation provides no real basis
> for comparison.
About 4 years ago I made a short lived effort to track a number of firewall
products and count the number of vulnerabilities an resulting patches
reported due to several IP attacks. I no longer have the numbers but the
impression remains that Cisco had more vulnerabilities, patches and cries
for help. The problem with statistics, particularly over a short sampling
period is that they can lie. Or maybe I wasn't looking in the right places.
Back then there was only one firewalls list. But I did look for a several
months and formed an opinion. And the problem with people is that once they
form an opinion it's hard to go back and change your mind. That is why my
comment above had two parts:
a - I suggest that anyone selecting new product do their own survey of a
product's users postings. What kind of questions are the users asking? How
often are they stymied? How often is a patch necessary? Look around a bit
in the users groups and make a note of the things that count for you.
b - I point out that my eval was several years old. I stick by my opinion
that PIX "seemed" to have more problems. Certainly back then when it was a
fairly new product.
I give Cisco credit for one thing that I forgot to mention - when a
vulnerability was found and well known they were reasonably quick to come
out with a patch.
> > Cisco doesn't provide customer support via mail lists. The Cisco
Technical
> Assistance Centers provide global 7x24x365 product support. As Michael
and
> others have pointed out in this forum time and time again that is a huge
> differentiator between Cisco and competitors offerings.
Is Cisco support free? How do I contact them with product configuration and
feature questions?
At my prior employer (Fortune 100) I was told I had to go through our router
architecture engineer and could not contact Cisco directly. On the other
hand I had direct support from the Check Point support center and from an
SE. 24x7x365 is an option. Cisco may not use e-mail (I would not know since
I never had direct support) but you do use the web. Indeed, you get credit
for one of the best sites for on-line manuals and product config and
tutorials. But reading the manuals and tutorials can take a long time to
find an answer to a specific question and does not always answer the
specific question.
I don't want to get into a battle over who or what is best, especially with
a Cisco employee. There are several excellent firewall and VPN products out
there and each should be looked at within the context of your environment
and application. I am reviewing products for a specific purpose for a
current project and have assigned my partner the job of reviewing and
evaluating Cisco, along with others. He is studying for his second Cisco
certification so I expect a thorough evaluation, very detailed discussions
and even demos. I expect both of us to do the same for several other
products and have actual hands on with a final few. I would suggest to
anyone looking at products to look around, make a short list and finally get
some hands on time as part of the selection process.
Adam
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
